I have a feeling I know the answer, but just double checking to make sure I’m not missing anything.
When learning all about the firewall, I see a lot of videos and documents where people have their firewall rules for input and forward chains all mixed together. Sort of like this.
input rule 1
input rule 2
forward chain rule 1
input rule 3
forward chain rule 2
input rule 4
forward chain rule 3
forward chain rule 4
forward chain rule 5 (the final deny rule on forward chain)
input rule 5 (the final deny rule on input chain)
But I’m not sure why so many people do it this way, it seems sloppy. Won’t any input chain traffic just skip right over those forward chain rules, and just go through input rules in order 1,2,3,4,5?
Wouldn’t the exact same effect be achieved by organizing them like shown below, while providing easier readability? Since traffic should be destined for one chain or the other, no reason to interlace them together right?
input rule 1
input rule 2
input rule 3
input rule 4
input rule 5 (the final deny rule on input chain)
forward chain rule 1
forward chain rule 2
forward chain rule 3
forward chain rule 4
forward chain rule 5 (the final deny rule on forward chain)
Router doesn’t care. Packet always goes in either input or forward. It’s not skipping over rules in other chain, it’s just that both chains are displayed on same screen, but in reality they are completely separate. I agree that having rules for each chain together, rather than mixing them with each other, is much cleaner. But since it doesn’t make a difference for router, it’s really just an opinion. Someone can have different one, which would be wrong for me, but not objectively wrong.
The chains are independent from each other but the order shown within a chain is important.
100% agree, that for ease of troubleshooting and understanding ones config, separating the chains is logical and clean, anything else is stewpid!
Now what I want to know is if my explanation is superior to Sobs. I need an ego boost today.
I group all my chains together. As noted before, the router does not care, but it makes it far easier for the poor human being that has to read it - that would be me.
You can also create any other chains that you want. Speeds up processing if you can jump to a different chain for one certain type of traffic that needs a lot of rules. Only send that type of traffic to a new chain.
